Skip to content

Commit

Permalink
tls: add min/max_version and their defaults
Browse files Browse the repository at this point in the history
  • Loading branch information
shigeki committed May 6, 2018
1 parent e4b5267 commit 26388fe
Show file tree
Hide file tree
Showing 6 changed files with 64 additions and 9 deletions.
19 changes: 14 additions & 5 deletions lib/_tls_common.js
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,11 @@ var crypto = null;

const { SecureContext: NativeSecureContext } = process.binding('crypto');

function SecureContext(secureProtocol, secureOptions, context) {
function SecureContext(min_version, max_version, secureProtocol,
secureOptions, context) {
if (!(this instanceof SecureContext)) {
return new SecureContext(secureProtocol, secureOptions, context);
return new SecureContext(min_version, max_version,
secureProtocol, secureOptions, context);
}

if (context) {
Expand All @@ -47,9 +49,9 @@ function SecureContext(secureProtocol, secureOptions, context) {
this.context = new NativeSecureContext();

if (secureProtocol) {
this.context.init(secureProtocol);
this.context.init(min_version, max_version, secureProtocol);
} else {
this.context.init();
this.context.init(min_version, max_version);
}
}

Expand Down Expand Up @@ -86,7 +88,14 @@ exports.createSecureContext = function createSecureContext(options, context) {
if (options.honorCipherOrder)
secureOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;

const c = new SecureContext(options.secureProtocol, secureOptions, context);
if (!options.min_version)
options.min_version = tls.DEFAULT_MIN_VERSION;

if (!options.max_version)
options.max_version = tls.DEFAULT_MAX_VERSION;

const c = new SecureContext(options.min_version, options.max_version,
options.secureProtocol, secureOptions, context);
var i;
var val;

Expand Down
4 changes: 4 additions & 0 deletions lib/_tls_wrap.js
Original file line number Diff line number Diff line change
Expand Up @@ -885,6 +885,8 @@ function Server(options, listener) {
ciphers: this.ciphers,
ecdhCurve: this.ecdhCurve,
dhparam: this.dhparam,
min_version: this.min_version,
max_version: this.max_version,
secureProtocol: this.secureProtocol,
secureOptions: this.secureOptions,
honorCipherOrder: this.honorCipherOrder,
Expand Down Expand Up @@ -957,6 +959,8 @@ Server.prototype.setOptions = function(options) {
if (options.clientCertEngine)
this.clientCertEngine = options.clientCertEngine;
if (options.ca) this.ca = options.ca;
if (options.min_version) this.min_version = options.min_version;
if (options.max_version) this.max_version = options.max_version;
if (options.secureProtocol) this.secureProtocol = options.secureProtocol;
if (options.crl) this.crl = options.crl;
if (options.ciphers) this.ciphers = options.ciphers;
Expand Down
8 changes: 8 additions & 0 deletions lib/https.js
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,14 @@ Agent.prototype.getName = function getName(options) {
if (options.servername && options.servername !== options.host)
name += options.servername;

name += ':';
if (options.min_version)
name += options.min_version;

name += ':';
if (options.max_version)
name += options.max_version;

name += ':';
if (options.secureProtocol)
name += options.secureProtocol;
Expand Down
5 changes: 5 additions & 0 deletions lib/tls.js
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,11 @@ exports.DEFAULT_CIPHERS =

exports.DEFAULT_ECDH_CURVE = 'auto';

// disable TLS1.3 by default for cipher suite incompatibilities with TLS1.2
exports.DEFAULT_MAX_VERSION = 'TLSv1.2';

exports.DEFAULT_MIN_VERSION = 'TLSv1';

exports.getCiphers = internalUtil.cachedResult(
() => internalUtil.filterDuplicateStrings(binding.getSSLCiphers(), true)
);
Expand Down
33 changes: 31 additions & 2 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -363,17 +363,46 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
}


int string_to_tls_protocol(const char* version_str) {
int version;

if (strcmp(version_str, "TLSv1.3") == 0) {
version = TLS1_3_VERSION;
} else if (strcmp(version_str, "TLSv1.2") == 0) {
version = TLS1_2_VERSION;
} else if (strcmp(version_str, "TLSv1.1") == 0) {
version = TLS1_1_VERSION;
} else if (strcmp(version_str, "TLSv1") == 0) {
version = TLS1_VERSION;
} else {
version = 0;
}
return version;
}


void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
SecureContext* sc;
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
Environment* env = sc->env();

int min_version = 0;
int max_version = 0;

if (args[0]->IsString()) {
const node::Utf8Value min(env->isolate(), args[0]);
min_version = string_to_tls_protocol(*min);
}

if (args[1]->IsString()) {
const node::Utf8Value max(env->isolate(), args[1]);
max_version = string_to_tls_protocol(*max);
}

const SSL_METHOD* method = TLS_method();

if (args.Length() == 1 && args[0]->IsString()) {
const node::Utf8Value sslmethod(env->isolate(), args[0]);
if (args.Length() == 3 && args[2]->IsString()) {
const node::Utf8Value sslmethod(env->isolate(), args[2]);

// Note that SSLv2 and SSLv3 are disallowed but SSLv23_method and friends
// are still accepted. They are OpenSSL's way of saying that all known
Expand Down
4 changes: 2 additions & 2 deletions test/parallel/test-https-agent-getname.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ const agent = new https.Agent();
// empty options
assert.strictEqual(
agent.getName({}),
'localhost:::::::::::::::::'
'localhost:::::::::::::::::::'
);

// pass all options arguments
Expand All @@ -39,5 +39,5 @@ const options = {
assert.strictEqual(
agent.getName(options),
'0.0.0.0:443:192.168.1.1:ca:cert::ciphers:key:pfx:false:localhost:' +
'secureProtocol:c,r,l:false:ecdhCurve:dhparam:0:sessionIdContext'
'::secureProtocol:c,r,l:false:ecdhCurve:dhparam:0:sessionIdContext'
);

0 comments on commit 26388fe

Please sign in to comment.